Bug#984508: marked as done (cpl-plugin-amber-calibre: combined remote/local privilege escalation in maintainer script)

[Debian Bug Tracking System]

Your message dated Sat, 06 Mar 2021 16:48:50 +0000
with message-id <e1lia6k-000cks...@fasolo.debian.org>
and subject line Bug#984508: fixed in cpl-plugin-naco 4.4.9+dfsg-3
has caused the Debian Bug report #984508,
regarding cpl-plugin-amber-calibre: combined remote/local privilege escalation 
in maintainer script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
984508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cpl-plugin-amber-calib
Version: 4.4.0+dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

The maintainer script of cpl-plugin-amber-calib has this code:

https://sources.debian.org/src/cpl-plugin-amber/4.4.0+dfsg-2/debian/cpl-plugin-calib.postinst.in/#L23
|       wget -O- ${URL} | \
|           tar xzO ${TAR} | \
|           tar xzC ${TARGETDIR} ${COMPONENTS} --strip-components=1

The URL is an unencrypted ftp:// URL. A malicious remote could easily
replace the requested archive and supply a different version. Such a
replacement could include a setuid root binary for instance. Once
installed, a local user can use it for a local privilege escalation.

I guess that this is not the only cpl plugin affected by this kind of
vulnerability.

Helmut

--- End Message ---

--- Begin Message ---

Source: cpl-plugin-naco
Source-Version: 4.4.9+dfsg-3
Done: Ole Streicher <oleb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cpl-plugin-naco, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ole Streicher <oleb...@debian.org> (supplier of updated cpl-plugin-naco package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Mar 2021 17:23:55 +0100
Source: cpl-plugin-naco
Architecture: source
Version: 4.4.9+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Maintainers 
<debian-astro-maintain...@lists.alioth.debian.org>
Changed-By: Ole Streicher <oleb...@debian.org>
Closes: 984508
Changes:
 cpl-plugin-naco (4.4.9+dfsg-3) unstable; urgency=medium
 .
   * Check SHA sum for downloaded calibration file (Closes: #984508)
Checksums-Sha1:
 43eb21e9a5446ab345780fb97b9779680a3086ad 2416 cpl-plugin-naco_4.4.9+dfsg-3.dsc
 d04bd0e0e7d94d30a2b52ce5082370382cf686d6 11424 
cpl-plugin-naco_4.4.9+dfsg-3.debian.tar.xz
Checksums-Sha256:
 dfec4e3b3167e545e1423705b6bd9164e79c15dd6b015f4d1effc1665106694d 2416 
cpl-plugin-naco_4.4.9+dfsg-3.dsc
 c4612651afd83303c1f91b1ced6565c4f9e6e140827330f87c4b8639765af089 11424 
cpl-plugin-naco_4.4.9+dfsg-3.debian.tar.xz
Files:
 9f741fb89ae7b6b764b7879d2a3c39ba 2416 science optional 
cpl-plugin-naco_4.4.9+dfsg-3.dsc
 cd3cb9528a6108fad39239cb54a68936 11424 science optional 
cpl-plugin-naco_4.4.9+dfsg-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmBDrVIACgkQcRWv0HcQ
3Pdpuw//dkv7vAdukUtsu70ux/LzD77yFD6DFzbq31MJo5xhv+6j97Ca7v6hRCd7
r0hs1v5ecVMCuke9wnr2KH93m/7BEDy7YBR+shEqyC11RFX7G5jfzJVk79Rra1VZ
CjsvEtUJLGovN/ZNKOFaP5uX4hxG53TtrYGaOb+TSas0ndyo9Gs7qysURobGD9qf
Asp/Ww9sAy2UsqtT6yWBCHDxAdSyLvCVoG4+hRG5wYUcIajIoNWa8YNEm0yjP+hv
j+XeBJBwHKzflYRdENx9iqUbl749LKoIJaqC9Un+JEYW1eO9W7BE1MzD0s6HAT0V
EA3XPuKIsw23U1rkGjp8ueGW34S86yND0Ik620+9yBu+tKmu+qtidHE1FZ+RUa8+
egHf93HmVKU1cVzycnB9Fh18KxTH/W/gQZKk0nlo2uVlN2ZKXkpAoxCIxTPJ0/F0
PhLxqEvxsj5Z+juO4Lt8zDZgHaFmAR7vZo9n1YowQ0aEyhkRctn1l/KJAKWsSEgf
qCcVfAq/B21lEc+2cdm+xwDie3DznUuzc7YFDBXnzfzyvYWM5AxWvYQFQlts6r7d
4v/0JXuHNc0ZreIat0i11UDQvept40m4TYNltRFa5Xrz5ZXWhVWPsZI5xpA4niXD
qdVft++7J9WZM3670lS3vN1+qEXm33K7oqU0VMa4ZIlow5HDsGA=
=MqLl
-----END PGP SIGNATURE-----

--- End Message ---